- Splunk Answers
- :
- Splunk Administration
- :
- Getting Data In
- :
- Unable to send data from an Universal Forwarder to...
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Unable to send data from an Universal Forwarder to a Splunk Server
Hello,
I'm new to splunk and I'm currently trying to set up a communications from a Universal Forwarder + Syslog NG server to a Splunk server.
CONFIG
On UForwarder side
Inputs
[default]
host = syslog01.abc.local
[monitor:////var/log/syslog-ng/logs/cisco/$HOST/$YEAR-$MONTH-$DAY-cisco.log]
sourcetype = syslog
index = cisco
disabled = false
host_segment = 6
Outputs
[tcpout]
defaultGroup = default-autolb-group
[tcpout:default-autolb-group]
server = @.220:9997
[tcpout-server://@.220:9997]
On Splunk server side
[default]
host = frontlog.abc.local
[splunktcp://9997]
disabled=0
SHOWS
On Forwared side
[root@syslog01 local]# netstat -anp | grep 9997
tcp 0 1 @.219:48676 @.220:9997 SYN_SENT 2762/splunkd
07-08-2016 06:59:51.093 +0200 WARN TcpOutputProc - Cooked connection to ip=@.220:9997 timed out
07-08-2016 07:00:21.094 +0200 WARN TcpOutputProc - Cooked connection to ip=@.220:9997 timed out
07-08-2016 07:00:43.602 +0200 WARN TcpOutputProc - Forwarding to indexer group default-autolb-group blocked for 3400 seconds.
07-08-2016 07:00:51.093 +0200 WARN TcpOutputProc - Cooked connection to ip=@.220:9997 timed out
07-08-2016 07:01:21.093 +0200 WARN TcpOutputProc - Cooked connection to ip=@.220:9997 timed
On server/receiver side:
tcp 0 0 0.0.0.0:9997 0.0.0.0:* LISTEN 7969/splunkd
Nothing relevant on splunkd.log
I've been able to telnet the server on port 9997.
Thanks
Best regards
Franck
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Can you telnet from your UF to your indexer on port 9997?
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
We see -
-- 07-08-2016 06:59:51.093 +0200 WARN TcpOutputProc - Cooked connection to ip=@.220:9997 timed out
The following speaks about a similar issue - cooked connection timed out?
The issue there was - found the issue - missing indexer cert.
Maybe a similar thing is in your case...
More about it at TcpOutputProc - Cooked connection to ip=x.x.x.x:9997 timed out
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Do you have set compressed = true on UF or indexer side?
Webinar Recap | Revolutionizing IT Operations: The Transformative Power of AI and ML ...
.conf24 | Registration Open!
ICYMI - Check out the latest releases of Splunk Edge Processor
